computerwoche.de

Archiv

Another kind of database

08.04.2005
Von Ephraim Schwartz

Based on the boilerplate description SenSage Inc. uses to describe itself as a "security information management" solution provider, no one would guess that the company offers a unique database management system: one that addresses log data.

In the age of compliance and audits and the ever-present threat of both external and internal security threats, system log entries will soon play a far more significant role in the enterprise.

"When an event happens at a firewall, a router, or in an application, log data is generated and we have a solution that stores that data," said Bruce Scott, vice president at SenSage.

Logged data has peculiar characteristics, according to Scott, that make it a poor fit for a relational database.

Adam Sah, the founder of the company, created a way to model enterprise log data and a way to run queries against that information that is not possible in a traditional RDBMS, Scott said.

For example, a firewall will reveal the IP address of the source request and destination, as well as what users are accessing which resources and tables.

"All of this data has a time stamp," Scott said.

Because it is also highly repetitive, IP addresses in an NOC (Network Operations Center) repeat over and over again so the data can be highly compressed, 40-to-1, Scott says, and can be stored on less costly systems.

Although the answer to a query in a relational database can be found in a single record, logged data is different. It says the requestor has only a notion of what he or she wants and the query is used for discovery. For example, a query might ask whether anyone is accessing a particular file more than once per day and when they accessed it.

According to Scott, this kind of data can be used to find someone illegally downloading corporate data or data illegally sent to another account.

"It"s impossible to cover your tracks," Scott said.

In fact, one field of a log entry is usually the user ID.

SenSage"s technology may also have a place beyond security. The unique feature of time-stamped data is also a characteristic of RFID data.

"If you have a product or inventory piece and you want to know every step of the way, you have billions of log entries every year but a relational data base couldn"t manage that. We can," Scott said.